Jamie Oliver site re-infected with ransomware
Fri 13 Mar 2015
The website of celebrity chef Jamie Oliver has been re-hacked with digitally-signed malware, according to the security investigators who found the original vulnerability nearly a month ago.
Over at MalwareBytes’ blog, Jérôme Segura writes today that the cockney cook’s highly popular website – ranked 535th in the UK – has now been compromised with the same injection as before, this time hidden in the HTML source code of the jamieoliver.com homepage:
![mwbytes-oliver1[1]](https://thestack.com/wp-content/uploads/2015/08/mwbytes-oliver11.jpg)
The report admits that the team behind the website appeared to have eliminated the infection after the initial publicity, but that malware often has an additional array of re-infection resources: “Sadly, it appears as though the problem has returned,” writes Segura “or perhaps was not completely dealt with. It is indeed quite common for a hacked server to retain malicious shells or backdoors that keep on reinfecting the site,”
A quick look at the code of the site showed, presumably in an administrative response to the additional MalwareBytes report, that the offending tag had been ‘commented out’:
![mwbytes-COMMENTED-OUT[1]](https://thestack.com/wp-content/uploads/2015/08/mwbytes-COMMENTED-OUT1.jpg)
The malware that the persistent exploit is seeking to install is called Trojan.Dorkbot.ED, classified within a family of ransomware strains by MalwareBytes.
The new article notes that the malware users could be at risk of being infected by is digitally signed, though with an expired certificate:
![mwbytes-SIGNED[1]](https://thestack.com/wp-content/uploads/2015/08/mwbytes-SIGNED1.jpg)
The Trojan.Dorkbot.ED ransomware will copy itself to Windows system files upon initial infection, and then create a registry entry intended to call itself at boot-time. The virus gathers and communicates local data to a C&C server, updates itself over the victim’s internet connection as necessary, and accepts commands from a remote attacker.
